.\" Manpage for AIEngine.
.\" Contact luis.camp0.2009@gmail.com to correct errors or typos.
.TH man 8 "26 April 2022" "2.1.0" "aiengine man page"
.SH NAME
aiengine \- AIEngine (in binary form) is a next generation network intrusion detection system engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector and many others.
.SH SYNOPSIS
aiengine --help
.SH DESCRIPTION
AIEngine helps network/security profesionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.
.SH OPTIONS
.PP
Mandatory arguments to long options are mandatory for short options too.
.TP
\fB\-i\fR, \fB\-\-input\fR
Sets the network interface, pcap file or directory with pcap files.
Sets the pcap file or directory with pcap files to analyze.
.PP

Link Layer optional arguments.
.TP
\fB\-q\fR, \fB\-\-tag\fR
Selects the tag type of the ethernet layer (vlan,mpls).
.PP

TCP optional arguments.
.TP
\fB\-t\fR, \fB\-\-tcp-flows\fR
Sets the number of TCP flows on the pool. 32768 flows is the default value.
.PP

UDP optional arguments.
.TP
\fB\-t\fR, \fB\-\-udp-flows\fR
Sets the number of UDP flows on the pool. 16384 flows is the default value.
.PP

Domain optional arguments.
.TP
\fB\-D\fR, \fB\-\-domain-file\fR
Reads domain names from file
.TP
\fB\-B\fR, \fB\-\-domain-protocol\fR
Protocol to plug the domain-file (dns, ssl, http).
.TP
\fB\-S\fR, \fB\-\-matched-domain\fR
Shows only the domains that matches.
.PP

Regex optional arguments.
.TP
\fB\-R\fR, \fB\-\-enable-signatures\fR
Enables the Regex engine. This implies that all the payloads of the flows will be process by this engine.
.TP
\fB\-r\fR, \fB\-\-regex\fR
Sets the regex for evaluate agains the flows..
.TP
\fB\-c\fR, \fB\-\-flow-class\fR
Uses tcp, udp or all for matches the signature on the flows.
.TP
\fB\-m\fR, \fB\-\-matched-flows\fR
Shows through stdout the flows that matchs with the given regex.
.TP
\fB\-M\fR, \fB\-\-matched-packet\fR
Shows the packet payload that matchs with the regex.
.TP
\fB\-C\fR, \fB\-\-continue\fR
Continue evaluating the regex with the next packets of the flow.
.TP
\fB\-j\fR, \fB\-\-reject-flows\fR
Rejects the flows that matchs with a regex. This functionality only works with root permisions and is only available on the StackLan and StackLanIPv6.
.TP
\fB\-w\fR, \fB\-\-evidence\fR
Generates a pcap file with the matching regex for forensic analysis.
.PP

Frequencies optional arguments.
.TP
\fB\-F\fR, \fB\-\-enable-frequencies\fR
Enables the Frequency engine. This implies that all the payloads of the flows will be process by this engine.
.TP
\fB\-g\fR, \fB\-\-group-by\fR
Groups frequencies by src-ip,dst-ip,src-port and dst-port. 
src-ip stands for source IP address.
dst-ip stands for destination IP address.
src-port stands for source port (UDP or TCP).
dst-port stands for destination port (UDP or TCP).
Also the parameter could be a combination of src-ip,src-port or dst-ip,dst-port.
.TP
\fB\-f\fR, \fB\-\-flow-type\fR
Selects the flows process by the Frequency engine by using the protocol (TCP or UDP).
.TP
\fB\-L\fR, \fB\-\-enable-learner\fR
Enable the Learner engine in order to analyze the frequencies generated by the Frequency engine.
.TP
\fB\-k\fR, \fB\-\-key-learner\fR
The Learner engine needs a key for analyze the flows that have been process by the Frequency engine.
.TP
\fB\-b\fR, \fB\-\-buffer-size\fR
Sets the size of the internal buffer for generate the regex. By incrementing this buffer, we also increment the memory size needed for store the regex, the engine is capable of discover regex in different offsets. 
.TP
\fB\-Q\fR, \fB\-\-byte-quality\fR
Sets the minimum byte quality for the generated regex expression. This value is by default set to 80. This means that the generated regex expression is correct on 80% of the generated bytes aproximately.
.TP
\fB\-y\fR, \fB\-\-enable-yara\fR
Generates a yara signature. Check http://plusvic.github.io/yara/

.PP
Optional arguments.
.TP
\fB\-n\fR, \fB\-\-stack\fR
Selects the Network stack for the analysis. There is five network stacks availables at the moment.

.RS
.IP lan
StackLan contains the configuration of a regular LAN network (Ethernet, IP, TCP, UDP).
.IP lan6
StackLanIPv6 contains the configuration of a LAN network with IPv6 support (Ethernet, IPV6, TCP, UDP).
.IP mobile
StackMobile contains a 3G stack (GN Interface) (Ethernet, IP, UDP, GTP, IP, UDP, TCP).
.IP virtual
StackVirtual that have the configuration of Virtual/Cloud enviroments with support for tunnels GRE/VxLan (Ethernet, IP, UDP, GRE, VxLAN, IP, UDP, TCP).
.IP oflow
StackOpenFlow that contains the configuration for openflow networks (Ethernet, IP, TCP, OpenFlow, Ethernet, IP, UDP, TCP).
.IP mobile6
StackMobileIPv6 contains a IPv6 stack  on the GN Interface (Ethernet, IP, UDP, GTP, IPv6, UDP, TCP).
.RE
.TP
\fB\-d\fR, \fB\-\-dumpflows\fR
Dumps the flows processes to the stdout, also if a protocol is passed as argument, then the output is filtered.
.TP
\fB\-s\fR, \fB\-\-statistics\fR
Shows details of statistics of every object plugged to the stack. There is 5 levels of statistics level.
.TP
\fB\-T\fR, \fB\-\-timeout\fR
Sets the flows timeout. 180 secs is the default value for the timeout for every flow.
.TP
\fB\-P\fR, \fB\-\-protocol\fR
Show statistics of a specific protocol of the network stack.
.TP
\fB\-a\fR, \fB\-\-port\fR
Sets the HTTP listenting port.
.TP
\fB\-e\fR, \fB\-\-release\fR
Release the caches.
.TP
\fB\-l\fR, \fB\-\-release-cache\fR
Release a specific cache, given a protocol as parameter.
.TP
\fB\-p\fR, \fB\-\-pstatistics\fR
Shows process statistics, such as memory comsumption, context switching, and so on.
.TP
\fB\-K\fR, \fB\-\-keep-flows\fR
Keep the network flows on memory for static analisys. The TCP and UDP connections will be on memory even if the timeout have been expired or the TCP connection have been close by RST or FIN flags.
.TP
\fB\-o\fR, \fB\-\-summary\fR
Shows a summary of protocols, such as bytes, packets, memory comsumption, cache miss.
.TP
\fB\-A\fR, \fB\-\-anomalies\fR
Shows a summary of the anomalies of the packets.
.TP
\fB\-h\fR, \fB\-\-help\fR
display this help and exit
.TP
\fB\-v\fR, \fB\-\-version\fR
output version information and exit
.SH EXAMPLES
.nf
section for some illustrative examples.

.B aiengine \-i ens7 \-s 5 \-P 'HTTPProtocol' \-dhttp

.fi
Capture from the device 
.B ens7
all the traffic and shows a detail of the 
.B HTTPProtocol

.B aiengine \-i eth0  -R \-r '^GET capa.exe.*capacitacion.inami.gob.mx.*$' \-m

.fi
Capture traffic from
.B eth0
and apply the regular expression
.B ^GET capa.exe.*capacitacion.inami.gob.mx.*$
to TCP and UDP traffic and show the results on stdout.

.B aiengine \-i eth0 \-t 500000 \-R \-r '^\\x16\\x03.*somethingonthenet.*$' \-c tcp \-m

.fi
Capture traffic from
.B eth0
and allocate
.B 500000
TCP flows and apply the regular expression
.B ^\x16\x03.*somethingonthenet.*$
just to 
.B tcp
traffic and shows the results on stdout.

.B aiengine \-i /defcon21/european_defcon/ \-F \-g dst-ip \-L \-k '10.5.7.2'

.fi
Process all the pcap files of the directory
.B /defcon21/european_defcon/
and apply Frequency analisys by grouping the flows by
.B dst-ip
by using the IP address
.B 10.5.7.2
and generates a regex on stdout.

.B aiengine \-i /pwningyeti/ \-F \-g dst-ip,dst-port \-L \-k 10.5.17.2:4321 \-y

.fi
Process all the pcap files of the directory
.B /pwningyeti/
and apply Frequency analisys by grouping the flows by
.B dst-ip
and
.B dst-port
by using the IP address and port
.B 10.5.17.2:4321
and generates a regex on stdout and a Yara signature.

.fi
For more complex examples check the wiki page of the folder examples more advance functionality.

.SH BUGS
No known bugs.
.SH AUTHOR
Luis Campo Giralte (luis.camp0.2009@gmail.com)
